valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d247766a2e
SigmaHQ/tools/config/qradar.yml
vh e8b956f575 Updated config
2020-05-20 12:35:00 +03:00

98 lines
2.4 KiB
YAML
Raw Blame History

title: QRadar
backends:
- qradar
order: 20
logsources:
apache:
product: apache
index: apache
conditions:
LOGSOURCETYPENAME(devicetype): '*apache*'
windows:
product: windows
index: windows
conditions:
LOGSOURCETYPENAME(devicetype): '*Microsoft Windows Security Event Log*'
qflow:
product: qflow
index: flows
netflow:
product: netflow
index: flows
ipfix:
product: ipfix
index: flows
flow:
category: flow
index: flows
fieldmappings:
event_id: EventID
EventID: EventID
dst: destinationip
dst_ip: destinationip
src: sourceip
src_ip: sourceip
c-ip: sourceip
cs-ip: sourceip
c-uri: URL
c-uri-extension: URL
c-useragent: user_agent
c-uri-query: uri_query
cs-method: Method
r-dns: FQDN
ClientIP: sourceip
ServiceFileName: ServiceFileName
event_data.CommandLine: Process CommandLine
CommandLine: Process CommandLine
file_hash: File Hash
hash: File Hash
#Message: search_payload
Event-ID: EventID
Event_ID: EventID
eventId: EventID
event-id: EventID
eventid: EventID
hashes: File Hash
url.query: URL
resource.URL: URL
event_data.CallingProcessName: CallingProcessName
event_data.ComputerName: Hostname/HOSTNAME
ComputerName: Hostname/HOSTNAME
event_data.DestinationHostname: Hostname/HOSTNAME
DestinationHostname: Hostname/HOSTNAME
event_data.DestinationIp: destinationip
event_data.DestinationPort: destinationip
event_data.Details: Target Details
Details: Target Details
event_data.FileName: Filename
event_data.Hashes: File Hash
Hashes: File Hash
event_data.Image: Image
event_data.ImageLoaded: LoadedImage
event_data.ImagePath: SourceImage
ImagePath: Image
event_data.Imphash: IMP Hash
Imphash: IMP Hash
event_data.ParentCommandLine: ParentCommandLine
event_data.ParentImage: ParentImage
event_data.ParentProcessName: ParentImageName
event_data.Path: File Path
Path: File Path
event_data.PipeName: PipeName
event_data.ProcessCommandLine: Process CommandLine
ProcessCommandLine: Process CommandLine
event_data.ServiceFileName: ServiceFileName
event_data.ShareName: ShareName
event_data.Signature: Signature
event_data.SourceImage: SourceImage
event_data.StartModule: StartModule
event_data.SubjectUserName: username
event_data.SubjectUserSid: SubjectUserSid
event_data.TargetFilename: Filename
TargetFilename: Filename
event_data.TargetImage: TargetImage
TargetImage: TargetImage
event_data.TicketOptions: TicketOptions
event_data.User: username
User: username
user: username
Reference in New Issue View Git Blame Copy Permalink